Creepy backdoor found in NetSarang server management software

Do you use this suite? If yes: A July 18 update screwed over your security

Researchers at Kaspersky Lab have found a well-hidden backdoor in NetSang's server management software.

The secret access route, dubbed Shadowpad by its discoverers, lurks in the nssock2.dll library within NetSarang's Xmanager and Xshell software suites. It pings out every eight hours to a command-and-control server with the identity of the compromised computer, its network details, and user names.

The backdoor is activated as follows: the .DLL generates a domain name based on the month and year, and performs a DNS lookup on it. A specially crafted DNS TXT record for the domain triggers the opening of a channel to the control server, a decryption key is downloaded by the software, and its next stage is decrypted. This section provides a full backdoor for an attacker to run code and exfiltrate data.

If you can setup a domain name for a particular month and year, and mimic the control servers, you too can commandeer organizations infected with the compromised NetSarang tools.

The affected packages are:

Xmanager Enterprise 5.0 Build 1232

Xmanager 5.0 Build 1045

Xshell 5.0 Build 1322

Xftp 5.0 Build 1218

Xlpd 5.0 Build 1220

It is assumed someone managed to hack into NetSarang's operations and silently insert the backdoor, so that the backdoor code would stealthily propagate to test and production environments via legit cryptographically signed software updates.

"ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be," said Igor Soumenkov, from Kaspersky's global research and analysis team, on Tuesday. "Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component."

Kaspersky picked up on the malware when investigating suspicious DNS requests from a financial client's network in Hong Kong – basically, those eight-hour pings. The team found that when Shadowpad was activated it would download more code from a command-and-control server, and hide it in a virtual file system inside the registry.

NetSarang has now pushed out an update to kill the loitering software nasty, and is examining how the code got into its software. It first appeared on July 13, this year, and was shipped to customers five days later on July 18. If you have the dodgy version, patch now. Antivirus tools have been updated to be on the look out for the hacked .DLL.

Kaspersky said that the malware bears certain resemblance the PlugX and Winnti attack code used by Chinese hacking groups.

"Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator," NetSarang said in a statement.

"The security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously." ®